The data breach included a client list that covered major companies such as Oracle, Airbus, and Porsche. More than that — seventy thousand services and storage systems are now publicly available.

Cybercriminals believe breaching an IT service provider like Citycomp is the ultimate win.

By cracking the defenses of a single business, criminals get the keys to dozens — or even hundreds — of the service provider’s clients’ business networks. However, amateur hackers are far more likely to pursue an easier target like your small business.

The cost -to the criminal- conducting cybercrime has continued to drop.

The rise of malware as a service is allowing amateur hackers to join the ranks of more seasoned cybercriminals. Not surprisingly, research shows that small businesses now make up the majority of commercial cyberattack victims.

While nearly 70% of small businesses report that they experience cyberattacks, and just 28% say their defense measures are “highly effective.”

Taking these three steps will fortify your own defenses against data breaches:

1. Change passwords regularly.

If you’ve been using the same username and passwords for years, it’s almost guaranteed that those credentials are out there somewhere. These passwords are available on the dark web for only pennies — or, you know — for free.

Changing passwords regularly may be a hassle, but it’s an important security practice. It helps prevent hackers from purchasing old login information on the dark web and using it to break into your organization’s network.

Putting systems in place that require employees to change their passwords every few months is an inexpensive — usually free — security improvement.

But if you want to avoid a mutiny and up your chances of compliance, explain it to your team beforehand. When employees know what’s at stake, they are likelier to buy into what might otherwise may feel like an annoyance.

I worked for one company years ago that make us change passwords every three weeks to a 25 bit new password and no part of the password could be repeated in a six-month period.

The system was still hacked and we had to contact millions of clients to reset their passwords (hundreds of us working around the clock to get this done). This company didn’t allow a password manager. If your employees don’t like it — too bad — it’s your company — and it’s your duty to protect it.

Consider investing in a password manager to make things as easy as possible, if you are concerned about employee pushback.

According to one study, employees have to juggle one hundred ninety-one passwords on average. Password managers are generally inexpensive, and the convenience they offer makes them a worthwhile investment for companies of all sizes.

2. Implement two-factor authentication.

If hackers do manage to get hold of login credentials, two-factor authentication is another gatekeeper. Two-factor authentication, also known as 2FA, requires an additional form of identity validation beyond a password. This second layer can be a code or PIN number. These requests are commonly sent via SMS.

You can also set this second code for a hardware token such as a key fob that only the user can access.

No solution is 100% secure. Some companies with particularly sensitive data are even relying on multi-factor authentication, which requires additional user verification beyond two-factor authentication. Some of the latest verification methods include iris or fingerprint scans as well as facial recognition.

Depending on your security needs and budget, it’s recommended that you start with whatever form of two-factor authentication you can afford to implement. Although SMS-text verification is the simplest and least secure, your employees are probably already familiar with it, and it’s a step up in security from traditional credentials.

That’s why cybercriminals try to scam people first and then hack the networks. Verizon’s 2017 Data Breach Investigations Report indicates that 90% of cybersecurity incidents involved an element of phishing.

Phishing attempts used to center on mass spam emails where senders were able to capitalize on a few errant clicks. Now, cybercriminals are sharpening traditional phishing attacks with basic social engineering. Called spear-phishing, attacks will use the information obtainable online to make their attempts to gain access more legitimate.

The hacker might pose as a CEO and send requests for financials to an accountant. They might pretend to be an executive and ask an assistant for help remembering a password. If your employees aren’t trained to spot these attacks, they’ll miss the minute details that indicate a scam.

Implement a training program and test employees using fake phishing emails on a regular basis.

When a target does engage with the email, you can conduct a follow-up to help the employee understand where they went wrong and how to improve next time. It’s a mistake for small business owners to assume they’re not targets just because they have far less data to steal than major corporations.

Unfortunately, their limited cybersecurity defense budgets make them easier to take advantage of entrepreneurs, startups and small businesses.

Hackers know all too well that some small business owners fail to take even the most basic precautions. Even a few key improvements will help you avoid the catastrophic consequences of a data breach.